>At 8:57 PM -0700 12/31/01, Don Yuniskis wrote:
>>Hmmm... can I ask why you gave each machine two names?
>>Neither appear to be dual homed... ?
>
>No particular reason...just nice to have optioms ;-)

Oh.

>>Yes.  And, depending on your ISP, if that bogus domain name
>>starts appearing in the envelope of your outbound email, your
>>ISP's mail server may decide to reject mail from you (been
>>there, done that, got the T-shirt to prove it...)
>
>Yeah, uou should either not run a mailserver or should use the 
>masquerade-as directive.

Yes.

>>Note that CNAMEs can be a problem with some tools.
>
>Probably 75% of all DNS names are CNAMEs...I've never found anything 
>that couldn't be done with them. The figure wasn't based on any 
>statistic...just the fact that most computers have at least 1 
>CNAME...many have multiple CNAMEs. There are many sites, for 
>instance, with a single computer acting as www.x.com, ftp., pop3., 
>smtp., mail., etc. Also, most web hosting services host numerous 
>websites on each computer, often with name-based virtual hosting. 
>This wouldn't work if there were issues with using CNAMEs.

CNAMES are huge sources of potential screwups...

Fred.foo.com    CNAME    Larry.baz.com

Do you know Larry.baz.com really exists?  Will it *continue*
to exist (i.e. it is probably under a different SOA and
folks there might remove/rename it at any time...)

Fred.foo.com    CNAME    Barney.foo.com
...
Barney.foo.com  CNAME    Fred.foo.com


Ooops!  :>  And, of course, Barney might be in a different
SOA and point back to Fred (i.e. someone else might be
administering that zone and "you" are unaware of the change
he just made...).  Sounds silly to point arbitrary names
at each other?  Maybe look at it using a different set of
(vanity) names:

WWW.foo.com    CNAME    WWW.baz.com
...
WWW.baz.com    CNAME    WWW.foo.com

I.e. guy at baz decides that foo will now be serving up
the web pages -- unaware that foo has already decided
that baz will be doing this...

foo.com        NS       DNS.foo.com
...
DNS.foo.com    CNAME    somehost.foo.com

Remember, each "foo" could just as easily be a "baz"
(i.e. in a different SOA)

foo.com        MX       Mail.foo.com
...
Mail.foo.com   CNAME    somehost.foo.com

Actually, this case is legal (I *think*) per RFC's
but can/will break some mailers.  I think sendmail
has flip-flopped over the years re: whether it
does a lookup on the returned CNAME or just barfs...

You also have subtle issues like IP based
authentication which can get hosed...

fred.foo.com ultimately resolves to x.x.x.x.
Do a reverse lookup on x.x.x.x (to fight spoofing) and
you find barney.foo.com.  (Or, perhaps barney.baz.com)
Hmmm... fred.foo.com != barney.baz.com... is this a 
hacking/spoofing attempt??

Etc. (at ~3AM I'm not too excited about thinking up
other examples... :>)

Note that verifying a "correct" configuration can be
difficult.  Since servers cache entries for the TTL,
your attempt to resolve barney.baz.com, for example,
to verify that it is an A record, might yield one
answer *now* even though the actual named database
has already been changed (i.e. the TTL hasn't expired
yet to cause an update).

As I said previously, DNS is not trivial to set up
*right*...

--don